Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Enhanceable Authorization Mechanism

IP.com Disclosure Number: IPCOM000039447D
Original Publication Date: 1987-Jun-01
Included in the Prior Art Database: 2005-Feb-01
Document File: 2 page(s) / 15K

Publishing Venue

IBM

Related People

Kramer, PH: AUTHOR

Abstract

An authorization mechanism allows enhancement. The mechanism is applicable in a capability-based addressing system and allows definition of additional operation access rights to the existing system authorization model. Capability-based addressing systems are characterized by a resource-based approach toward computing. A resource in this instance refers to an identifiable and isolatable storage structure within a system (e.g., programs, files, processes). This is a method of structuring systems based on abstraction. These abstractions are composed of a set of resources and a specific set of operations for each type of resource (each type collectively referred to as a resource manager). By appropriate structuring of the system, the resource is isolated such that the resource is affected by operations defined on it.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 49% of the total text.

Page 1 of 2

Enhanceable Authorization Mechanism

An authorization mechanism allows enhancement. The mechanism is applicable in a capability-based addressing system and allows definition of additional operation access rights to the existing system authorization model. Capability-based addressing systems are characterized by a resource-based approach toward computing. A resource in this instance refers to an identifiable and isolatable storage structure within a system (e.g., programs, files, processes). This is a method of structuring systems based on abstraction. These abstractions are composed of a set of resources and a specific set of operations for each type of resource (each type collectively referred to as a resource manager). By appropriate structuring of the system, the resource is isolated such that the resource is affected by operations defined on it. This is referred to as encapsulation. By encapsulating resources, actions against a resource are controlled by the interfaces that manipulate the resource. This limits the actions against a resource to a well-defined set of functions improving integrity of that resource. The system provides an authorization mechanism for controlling access to the resource at this operation level. This is done by providing an access vector (containing a list of access rights, one per operation) that is checked by the resource's manager whenever an operation is requested. Each user with access rights to a resource has an associated access vector. If the state of the access vector is accepted by the resource manager, the operation is performed; if not, the request is rejected. By defining a common access vector for each resource type, containing one access right per operation, the principle of minimal privilege (users can be restricted to having no more rights than absolutely necessary) is satisfied. System implementations usually architect a set of the authorizations in the access vector and allow one user to grant or revoke authorities for a resource to other users (subject to the grantor/revoker having appropriate authorities). Granting authority to a user gives the new user the granted rights to the resource, thus allowing the new user to perform operations on the resource. Revoking removes rights that a user has to a resource so the user can no longer successfully request those revoked operations. Granting and revoking authority results in updating access vectors. A resource manager provides three new interfaces, GRANT, REVOKE, and RETRIEVE FOR DISPLAY. To perform GRANT or REVOKE, a user (human or program) enters: 1. a list of authorities to be processed. 2. the user that they are to be processed for. 3. the resource they relate to. Common system security functions determine that the issuer has the appropriate authority to be issuing the request, verifies the user whose authorities are to be modified, and ensures that the resource exists. If all these are successful, the existing access vector, if any...